IIAs Certified Internal Auditor (CIA) Learning System Individual Part 2 Book (The Institute of Internal Auditor (IIA)) (Z-Library)

📄 File Format: PDF

💾 File Size: 9.6 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

(This page has no text content)

📄 Page 3

Part 2: Practice of Internal Auditing Welcome to Part 2 of The IIA’s CIA Learning System®. The self-study text for the learning system includes the content addressed in The IIA’s CIA syllabus. (You can download the syllabus from the online Resource Center or from The IIA’s website.) However, in some cases, the content has been reorganized to facilitate instruction and understanding. Refer to the Table of Contents for an outline of the content. To get the most out of the course materials, complete the course in this order: 1. Begin by accessing the course at www.learncia.com. 2. Read the overview and return to the menu. Select Part 2 from the menu. 3. Complete the pre-test and view the report to help focus your study efforts. 4. Read each section and follow the Next Steps directions included at the end of the section. 5. Complete Part 2 as outlined in the online overview. Note that Part 2 of the CIA exam will consist of 100 multiple-choice questions and test takers are given 120 minutes to complete this portion of the exam. You can go to https://na.theiia.org/certification/CIA- Certification/Pages/CIA-Certification.aspx to register for the exam separately. Study Support The IIA’s CIA Learning System includes online tools to support your study. These tools may be accessed from the menu at any time. • Glossary—Refer to the glossary for definitions of terms used in all three parts of The IIA’s CIA syllabus. • Reports—Refer to the reports to review your most recent test scores and progress through the learning system. • Resource Center—Refer to the Resource Center to access information

📄 Page 4

about The IIA’s International Professional Practices Framework, updates, test-taking tips, printable flashcards, related links, and reference material and to provide feedback to The IIA regarding the learning system.

📄 Page 5

The IIA’s CIA Learning System® The IIA’s CIA Learning System® is based on the Certified Internal Auditor® (CIA®) syllabus developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the learning system is a good tool for study, reading the text does not guarantee a passing score on the CIA exam. Every effort has been made to ensure that all information is current and correct. However, laws and regulations change, and these materials are not intended to offer legal or professional services or advice. This material is consistent with the revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017. Copyright These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its members. Please do not violate the copyright. Acknowledgments The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights during the development and subsequent updates of The IIA’s CIA Learning System. Pat Adams, CIA Terry Bingham, CIA, CISA, CCSA Raven Catlin, CIA, CPA, CFSA Patrick Copeland, CIA, CRMA, CISA, CPA Don Espersen, CIA Michael J. Fucilli, CIA, QIAL, CRMA, CGAP, CFE Al Marcella, PhD, CISA, CCSA Markus Mayer, CIA Vicki A. McIntyre, CIA, CFSA, CRMA, CPA Gary Mitten, CIA, CCSA Lynn Morley, CIA, CGA Lyndon Remias, CIA

📄 Page 6

James D. Hallinan, CIA, CPA, CFSA, CBA Larry Hubbard, CIA, CCSA, CPA, CISA Jim Key, CIA David Mancina, CIA, CPA James Roth, PhD, CIA, CCSA Brad Schwieger, CPA, DBA Doug Ziegenfuss, PhD, CIA, CCSA, CPA, CMA, CFE, CISA, CGFM, CR.FA., CITP

📄 Page 7

Part 2 Overview Part 2 of The IIA’s CIA Learning System focuses on the auditor’s abilities related to the Performance Standards (series 2000, 2200, 2300, 2400, 2500, and 2600). Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of internal auditing services can be measured. Note that Standard 2100 (“Nature of Work”) is addressed in Part 1, Section V, “Governance, Risk Management, and Control.” Part 2 is made up of four sections: I. Managing the Internal Audit Activity. The chief audit executive (CAE) must effectively manage the internal audit activity to ensure that it adds value to the organization (Standard 2000). II. Planning the Engagement. Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement (Standard 2200). III. Performing the Engagement. Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives (Standard 2300). IV. Communicating Engagement Results and Monitoring Progress. Internal auditors must communicate the results of engagements (Standard 2400). The CAE must establish and maintain a system to monitor the disposition of results communicated to management (Standard 2500), discuss any remaining unacceptable risk levels with senior management, and communicate any unresolved issues related to unacceptable risk levels to the board (Standard 2600). Those managing engagements must ensure that engagements are conducted in a professional manner—from planning through supervision and communication to monitoring engagement outcomes—and with a continuous

📄 Page 8

awareness of risk.

📄 Page 9

Section I: Managing the Internal Audit Activity This section is designed to help you: • Describe policies and procedures of internal auditing operations. • Interpret administrative activities of internal audit. • Identify sources of potential engagements. • Identify a risk management framework to assess risks. • Prioritize audit engagements based on the results of a risk assessment. • Interpret the types of assurance engagements. • Interpret the types of consulting engagements. • Describe coordination of internal audit efforts with external auditors, regulatory oversight bodies, and other internal assurance functions. • Describe potential reliance on other assurance providers. • Describe how the chief audit executive (CAE) communicates the annual audit plan and its results to senior management and the board. • Identify how the CAE seeks board approval of the annual audit plan. • Identify significant risk exposures and control and governance issues for the CAE to report to the board. • Recognize that the CAE reports on the overall effectiveness of the organization’s internal control and risk management processes to senior management and the board. • Identify internal audit key performance indicators that the CAE communicates to senior management and the board periodically. The Certified Internal Auditor (CIA) exam questions based on content from this section make up approximately 20% of the total number of questions for Part 2. Most of the topics are covered at the “B—Basic” level, meaning that you are responsible for comprehension and recall of information. (Note that this refers to the difficulty level of questions you may see on the exam; the content in these areas may still be complex.) A few topics are covered at the “P— Proficient” level, meaning that you are responsible not only for comprehension and recall but also for higher-level mastery, including application, analysis, synthesis, and evaluation. Section Introduction Performance Standard 2000, “Managing the Internal Audit Activity,” states that the chief audit executive must effectively manage the internal audit

📄 Page 10

activity to ensure that it adds value to the organization. Interpretation tells us that “the internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management and control processes; and objectively provides relevant assurance.” This section focuses on the criteria for effectively managing the internal audit function at both strategic and operational levels. From a strategic perspective, the CAE must ensure the establishment of a risk-based plan for managing the function’s activity. This will require that internal audit leaders: • Manage changes needed to implement and support the organization’s strategy. • Establish relationships throughout the organization to foster communication and cooperation. • Assess and promote an ethical climate and good governance. • Develop an appropriate system to measure the efficiency and effectiveness of the internal audit function and report performance to senior management and the board. • Manage interactions with external auditors, regulatory bodies, and other internal assurance functions. From an operational perspective, the CAE must ensure that the function is managed in a professional manner and that: • Policies and procedures are in place to plan, organize, direct, and monitor internal audit operations. • The function is administered to make the best use of internal audit resources. • The function is staffed appropriately for its tasks. • A risk-based audit plan is used to identify potential engagements and

📄 Page 11

prioritize engagements. • Management is informed about the effectiveness of the organization’s internal control and risk management frameworks. • The quality of internal audit work is monitored, assessed, and reported to management, and a quality assurance and improvement program is in place.

📄 Page 12

Chapter 1: Internal Audit Operations Chapter Introduction Strategically managed organizations recognize the need to operate not just as organizationally connected functions but as fully integrated, often interdependent parts of a whole. Functional and operational strategies must be aligned with the organizational strategy. The organization’s risk management approach must be enterprise-wide. The internal audit activity plays a critical role in ensuring that the organization’s resources are being used efficiently and effectively toward accomplishing organizational objectives and that the organization’s internal control framework is adequate for controlling the variety of internal and external risks to which the organization is vulnerable. The topics in this chapter focus on the role of internal audit at an operational level, including how the CAE ensures that the activity can fulfill its role and responsibilities. This includes: • Formulating policies and procedures that support the activity’s independence, objectivity, proficiency, and due professional care. • Directing administrative functions that allow the activity to operate efficiently and effectively.

📄 Page 13

Topic A: Policies and Procedures for Internal Audit Operations (Level B) Policies and Procedures Engagement management is the process of planning, organizing, directing, and monitoring an internal audit activity’s resources (people, equipment and technology, time, and money) so that objectives can be met within the defined scope, time, and cost constraints of assurance and consulting engagements. • Planning, which is at a strategic level, includes activities such as developing a risk-based audit plan and reviewing staff competency needs and planning for hiring and development. The audit plan is discussed in the next chapter. • Organizing, which is at an operational level, involves designing structures and processes aimed at achieving activity objectives and overall goals of efficiency and effectiveness. This may include assigning auditors to specific engagements on the basis of their experience with similar engagements and their business experience. It may also involve allocating time for engagement activities like planning, developing and implementing the audit program, conducting fieldwork, and writing reports. • Directing includes the many tasks in leading internal audit. Communication and coordination must be maintained within the organization, with the board, and with external bodies, as applicable. New staff members must be interviewed and hired or contracted with. Performance management systems should be implemented. • Monitoring involves activities such as ensuring that budgets are monitored and assessed; that the audit committee, senior management, and engagement clients are receiving value-added services; and that the activity is meeting its strategic objectives, including the requirements of the audit plan.

📄 Page 14

Audit policies and procedures help the chief audit executive in carrying out these management activities. Establishing policies and procedures might entail developing processes to support engagement work, such as engagement initiation/transition meetings and report review processes, processes for qualifying and contracting with external service providers, structures for communicating different types of activity information, monitoring processes aimed at maintaining quality and budget adherence (e.g., dashboards), and channels for gathering this data. Internal audit policies typically include guidance on: • The overall purpose and responsibilities of the internal audit activity. • Adherence to the mandatory guidance of the International Professional Practices Framework (IPPF). • Independence and objectivity. • Ethics. • Protecting confidential information. • Record retention. • Staff training. • Establishing a quality assurance and improvement program. Internal audit procedures typically include guidance on: • Preparing a risk-based audit plan. • Planning an audit and preparing the engagement work program. • Performing audit engagements. • Documenting audit engagements. • Communicating results/reporting. • Monitoring and follow-up processes.

📄 Page 15

Interpretation of Standard 2040 stipulates that “the form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.” Audit Manuals The audit manual provides a guide to existing and new members of the internal auditing activity about the activity’s objectives, the way these objectives will be accomplished (the policies and procedures), and the use of internal audit standards. The documents may include methods and tools for training and may require internal auditors to provide acknowledgment by signature that they have read and understood the policies and procedures. The CAE is responsible for ensuring that an audit manual is created and maintained, that it is distributed throughout the internal auditing activity, and that the policies and procedures contained in the audit manual are consistently and continually enforced. The purpose of the audit manual is, in general, to: • Provide guidance to activity members that will support adherence to the profession’s code of ethics and professional standards. • Define a high level of performance expectations for staff that will enable the activity to fulfill its role in supporting the organization’s governance, risk management, and control objectives and to fulfill the activity’s own strategic objectives. • Focus activity members on key objectives and values. For example, an activity may focus on assuring controls or adding value to the organization by identifying opportunities for greater efficiency and quality—or it may balance both roles. • Coordinate roles and responsibilities within the activity and in relation to other internal and external bodies. • Codify critical processes, such as the steps involved in performing different types of engagements, and policies, such as protection of

📄 Page 16

confidential information and communication and monitoring of engagement results. • Provide the basis on which to evaluate the internal auditing activity’s performance. As suggested in Implementation Guide 2040, audit manuals can vary in content and format. Exhibit I-1 lists possible topic headings for audit manuals. Exhibit I-1: Sample Audit Manual Content Topic Description Internal audit charter Establishes the purpose, scope of authority, and responsibilities of the CAE and the internal audit activity, including professional standards, responsibilities, and ethics/code of conduct Internal audit organization Reporting structures, services provided by internal audit Internal audit strategic plan Process and schedule for developing strategic goals and objectives Annual audit plan Process for developing and modifying the annual audit plan, from identifying audit universe through risk analysis and allocation of resources, including risk management tools to be used Personnel Roles and responsibilities, training and career development, certification opportunities, continuing education requirements, and performance management system Communication Guidelines for communicating with internal clients and external bodies; handling of confidential information Audit engagement procedures Procedures to be followed, from planning through reporting; requirements regarding workpapers; report template Quality assurance and improvement program (QAIP) Description of QAIP requirements; evaluation processes Administration Policies regarding tracking of time, documentation, and document retention

📄 Page 17

Implementation Guide 2040 explains that in small internal audit activities, close and daily supervision may take the place of formal internal audit operations manuals. However, in large audit activities, more formal and comprehensive policies and procedures may be essential to guide the internal audit staff in the execution of the internal audit plan. Audit Activity Organizational Charts It is important that internal auditors understand the roles and responsibilities of each layer of the internal audit organization’s reporting structures (the second item listed in Exhibit I-1). Exhibit I-2 shows an example of an organizational chart for an internal audit activity. Note that CAEs have significant flexibility in determining job titles and the organizational structure of the internal audit activity. Also, the number of persons on staff in the internal audit activity may influence the type of structure. Therefore, treat this as one example of how the activity might be organized. Exhibit I-2: Sample Internal Audit Activity Organizational Chart Exhibit I-3 explores these internal auditor authority levels. Exhibit I-3: Internal Audit Activity Authority Levels Title Description Chief audit executive The CAE is a corporate executive in charge of internal auditing. This individual typically has a dual reporting structure: first, reporting functionally to the audit committee of the board of directors to ensure independence from management and, second, reporting administratively to the chief executive officer (CEO). The

📄 Page 18

CAE ensures that a risk assessment is performed periodically and uses this, plus knowledge of corporate objectives, to establish risk-based audit plans and internal audit priorities. The CAE coordinates with other internal and external assurance providers to minimize duplicate work and ensure proper and efficient audit coverage in accord with the approved annual audit plan. He or she monitors engagements for timely completion and provides an annual holistic opinion on the adequacy and effectiveness of governance, risk management, and control processes. Audit manager (for a specific area) An audit manager directs the performance of assurance and consulting engagements and interacts with functional area managers in areas being audited to fully understand the activities being performed and any relevant issues while remaining independent from these areas. For example, an audit manager for operations, compliance, and reporting (this mirrors the three control objectives in the COSO internal control framework) needs to have a good understanding of the organization’s operations. An audit manager for information technology (IT) would need competencies in understanding IT risk and control and the impact of technology on organizational objectives. Audit managers for any area will also coach, counsel, and direct auditors in their area in accordance with the IPPF to ensure that these professionals get the development they need to meet changing needs. Senior auditor A senior auditor conducts assurance and consulting engagements of up to moderate complexity and exercises good business judgment and skills to develop appropriate audit recommendations in accordance with the IPPF. Senior auditors are expected to understand client business operations, develop and maintain professional working relationships with clients, and work in a professional manner. A senior auditor may also be charged with providing staff auditors with day-to-day direction and guidance under the overall supervision of the audit manager. Auditor (staff member) An internal auditor staff member works under supervision to conduct assurance audits and develop recommendations in accordance with the IPPF. Auditors are expected to work alongside senior auditors to learn professional practices on audits, gain exposure to various types of projects, learn about operations in various functional areas, build a knowledge base of organizational operations, perform general research, and provide support.

📄 Page 19

Topic B: Administrative Activities of Internal Audit (Level B) As the leader of internal audit, the CAE is tasked with many aspects of functional management, including budgeting and staffing. (Staffing includes things like workforce planning or resourcing, creating or revising position descriptions or organizational charts, recruiting, recruit selection, and contractor management.) These administrative activities are key components of successful internal auditing. Budgeting Effective budgeting depends on a sound organizational structure, meaning a budget in which authority and responsibility for each operational phase are clearly defined. Budgets built on a solid foundation of research and analysis are better equipped to produce realistic goals that aid in achieving the organization’s desired growth and profitability. Here are some of the main benefits of budgeting: • Planning ahead. A solid budget plan requires all levels of management to be involved and to formalize goals on an annual or more frequent basis. • Definite objectives. Identifying definite objectives provides for performance evaluation at each responsibility level. • Early warning system. Working from an established budget allows for early identification of potential sources of conflict or issues so that these situations can be addressed by management in a timely manner. • Coordination of activities. A budget links segmented goals within the company’s overall list of objectives so that the organization as a whole can incorporate multiple facets of its various departments. • Management awareness. Budgeting results in a greater awareness of the organization’s overall operations at the management level, including the impact that external factors might have on the operation as a whole.

📄 Page 20

• Personnel motivation. Meeting budget objectives can motivate personnel through use of various incentive or reward mechanisms that are also tied to maintaining high quality work rather than being based solely on meeting the budget. A well-developed budget is the key component of planning that enables the internal audit activity to perform its mission on time and within established financial parameters. The CAE will also create a schedule budget, aligning the number of available audit personnel against available work hours to determine the amount of coverage that can be provided during a fiscal year as well as within each audit project. Staffing Staffing begins with workforce planning, followed by creating or revising position descriptions. It then proceeds to recruiting and screening applicants or contractors with the desired skills, knowledge, and characteristics; interviewing applicants or contractors to confirm that they possess the necessary qualifications; and selecting and hiring those applicants who can succeed in the job and the organization. In large organizations, the CAE or designee may work with the human resources department, who can provide invaluable assistance and reduce staffing risks by ensuring that the process conforms to employment laws and regulations (and, in the case of contractors, tax laws) and organizational hiring and contracting policies. HR can also offer experience in the selection process to reduce the risk of a bad hire or an ineffective contractor. In smaller organizations, the CAE or designee may do the interviewing and hiring themselves or use external service providers. Workforce Planning (Resourcing) Workforce planning involves determining the number of employees and/or contractors that are required in each position for the internal audit activity. HR may already have performed workforce planning for the entire organization, and, if so, the CAE will need to conform to the limits established in the workforce plan as well as in the budget. If the CAE feels that the workforce plans are unbalanced or insufficient, he or she can raise